Ubuntu
procps package

ps security data column includes AppArmor confinement mode in 16.04

Bug #1561330 reported by Tyler Hicks
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

In Xenial, running linux 4.4.0-15-generic and procps 2:3.3.10-4ubuntu2, I see that the security data column has changed to displaying the AppArmor confinement mode:

$ ps wZ $(pidof cups-browsed)
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cups-browsed (enforce) 786 ? Ssl 0:00 /usr/sbin/cups-browsed

This is different than what is displayed in 15.10:

$ ps wZ $(pidof cups-browsed)
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cups-browsed 548 ? Ssl 0:00 /usr/sbin/cups-browsed

There was a large AppArmor kernel change in Xenial's 4.4.0-15-generic so to rule that out, I booted into an earlier Xenial kernel and saw the same issue:

$ uname -a
Linux sec-xenial-i386 4.4.0-7-generic #22-Ubuntu SMP Thu Feb 18 20:50:09 UTC 2016 i686 i686 i686 GNU/Linux
$ ps wZ $(pidof cups-browsed)
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cups-browsed (enforce) 631 ? Ssl 0:00 /usr/sbin/cups-browsed

Revision history for this message
John Johansen (jjohansen) wrote :

The apparmor /proc/ interface has always included the mode info, so the change must be in how ps handles the security label

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I agree and intentionally opened the bug against procps because I was able convince myself that it was a procps change and not an AppArmor change.

I don't think this change is a problem and, personally, I like seeing the confinement mode in the output.

I think we've came to the conclusion that this is fine behavior so I'm going to mark this bug as invalid since we don't plan on 'fixing' anything here.

Changed in procps (Ubuntu):
status: New → Invalid
status: Invalid → Won't Fix
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Actually, Won't Fix is a better fit. We can change it back to Confirmed if we decide that it is causing problems.

Revision history for this message
John Johansen (jjohansen) wrote :

For the record it is this commit that made the change

https://gitlab.com/procps-ng/procps/commit/5da390422d2b58902731655ddd12439126a051da

it was previously terminating the string when it hit the space before the mode. Now it is using isprint(outbuf[len]) and space is a printable character.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.